I get asked a lot about password policy during my travels around the globe giving presentations and from people who email after webinars. Many of the questions are the same and I’ve decided to cover them and my answers with this blog article.
We have been hearing for a long time that one day passwords will go away and be replaced by something else. When will passwords finally go away?
I’ve been hearing that prediction for nearly 30 years. I will say this -- probably not anytime soon! It will likely be a decade or longer, if ever before passwords ago away. Why? Because passwords work everywhere. You can teach a two-year-old to use a password and they’ll use it as competently as a 60-year-old. Passwords just work and work everywhere. They certainly have their issues, especially security issues, but everything does. And there just isn’t any viable option that works with as many places as passwords do, especially as cheaply both in implementation and support.
Isn’t multi-factor authentication the answer? Won’t MFA solve hacking?
Probably not on the first question and definitely not on the second question. First, as great as MFA can be as a security option, most of today’s most popular solutions involve what is known as “user friction”. User friction involves the steps a user has to take to be authenticated. With passwords, the user has to create, remember, and reuse their login name and password. That’s a small amount of friction. With multi-factor authentication, there is almost more friction. The user usually has to remember something (be it a login name, password, PIN, connect-the-dot pattern, etc.) and do something else…hence the multi-factor part of MFA. MFA means more user friction. The future of authentication in the long run is likely less friction, however that is accomplished.
MFA definitely won’t solve hacking. It does significantly decrease the risk of many forms of hacking, especially in some scenarios, like broad phishing attacks looking to get passwords. In some scenarios, like broad phishing attacks looking to get passwords. If the user doesn’t know or have a password, they can’t be tricked out of it. In some cases, the use of MFA decreases the risk of hacking by over 99%. That’s pretty great. But there is a huge difference between decreasing some forms of hacking in certain scenarios and declaring something unhackable.
Any MFA solution can be hacked a half dozen different ways. I’m just finishing up writing a new book for Wiley right now called Hacking MFA. In it, I cover over 50 ways to hack various forms of MFA, and I can hack any MFA method at least a half dozen different ways. Most of them, I can hack 10-11 ways. If MFA was to become far more popular, it’s not like the hackers are going to simply give up. MFA is being hacked to the tune of millions of individual hacks a year. Often times, the hacks are harder to accomplish, but sometimes they are far easier. And just like now, I, as an attacker, can send someone a rogue email and hack their login, whether they are using MFA or not. And that’s a very important point…that MFA can be hacked. Because if an admin or organization starts using MFA and suddenly thinks they don’t have to worry about hacking, that puts them in a worse position than if they worried about it and prepared their users like they have done for decades. Telling someone that they can take off their seat belts while doing 70mph down an interstate because their car has all sorts of safety features or can drive itself is going to cause more injuries than if people drive safely and defensively. It’s the same thing in the cybersecurity world.
Well, we are stuck with passwords for right now. What should someone’s password policy be?
Here’s my current password policy recommendations for organizations:
- Use multi-factor authentication (MFA) when possible and when obviously needed for security (i.e., you don’t need it for every site and logon).
- Where MFA is not an option, use password managers where you can, creating unique, long as-possible, random passwords for each website or security domain.
- Where password managers aren’t possible, use long, simple passphrases.
- Change all passwords at least once a year, and change business passwords every 90 to 180 days.
- In all cases, don’t use common passwords (e.g., 123456, password, or qwerty, etc.).
Most importantly, regardless of your password policy, never reuse any password between different sites! That’s the most important advice I can give.
What do you think about biometrics?
I’m not a big fan of them being used as single-factor authenticators. First, once they are stolen (and all biometrics can be stolen), how can any system relying on them trust them again? My fingerprints, along 5.6 million other people’s…anyone who had applied for a U.S. government security clearance, was stolen by a Chinese nation-state team in 2015 . My wife’s fingerprints from 1983 when she was a teenage girl working at a shipyard were stolen. Thirty-two years later, not only were her authentication factors compromised, but she could absolutely still be using them. Compare that with a digital certificate that expires every year or two or passwords which often expire even sooner.
Once a biometric factor is stolen how can any system that relies on it solely to authenticate someone trust that someone using it is the real person? It can’t. Our biometrics are everywhere and are too easy to steal. Once stolen, what are we supposed to do, change our fingerprints, hand veins, or iris pattern?
Second, almost any biometric reader is hideously inaccurate. Your fingerprint or eyeball may be unique in the world, but the way your biometrics are recorded and confirmed is not. Almost all biometric solutions are purposefully “de-tuned”, so they don’t erroneously reject the real user too many times. For example, all of us get tiny abrasions and cuts on our fingertips every day. Fingerprint readers have to purposefully ignore those minute changes or else they would reject us too much. And when it does that, it means an attacker has a great chance of faking out the system. Anytime a vendor has said their biometric solution was impossible to fake out, there has been a 17-year-old kid on YouTube the next day showing how he/she faked it out using $2 of material. Biometrics just aren’t good authenticators…and for more reasons than these.
I’m not a big fan of biometrics period. Too many people see them as the Holy Grail of authentication and they certainly aren’t. But if they are used they need to be used with a second factor to ensure that a stolen biometric factor alone isn’t able to be used to login alone.
What is the future of authentication then?
Probably something that is called continuous adaptive authentication, used in scenarios where your pre-registered device is a big key to your identity. It is likely that in the future, you will be allowed to use your apps simply because you are accessing them from your computer or phone where you normally do every day. The systems will understand that. And as long as you do things you normally do…in ways you normally do them…the system will authenticate you and allow you to do what you normally do. But if you do something different…say login from a different device from a different country and try to transfer your entire bank balance to a new Russian bank…well, then, the system will probably want more authentication. It’s like your credit cards are today. You are likely to go around spending as much money as you like, and maybe be prompted for a PIN or signature. But if you suddenly make a big purchase, such as an expensive piece of jewelry or new big screen television, then your credit card vendor might ask you to additionally confirm the purchase by sending you a message to your pre-registered cell phone number. Same thing here. In the future, authentication is likely to be nearly frictionless, adaptive, and continuous…on all the time. Today, authentication mostly happens only at the beginning. You are either fully allowed to do everything or nothing based upon your initial sign-in. That’s always been a clumsy way of doing authentication. In the future, authentication will be based more on where and what you do than anything else.
Any parting thoughts?
Yes, I try to remind people that 70% to 90% of all malicious breaches are from social engineering and phishing and 20% to 40% is from unpatched software. Together, they account for 90% to 99% of all successful breaches. Everything else added up all together, including password issues, only accounts for maybe, at the most, 10% of all breaches. So if you’re spending days and days debating what your password policy should be, but not also spending days and days improving the controls you use to mitigate social engineering and unpatched software, you’re spending too much time on passwords.